Coinbase Disclosed Users' Biometric Data to Third Parties, Says BIPA Complaint
Coinbase’s requirement that users upload pictures of a valid identification card and a “selfie” violate the Illinois Biometric Information Privacy Act, alleged a Monday class action (docket 4:23-cv-02123) in U.S. District Court for Northern California in Oakland. Plaintiff Michael Massel, an Illinois resident, opened an account with the cryptocurrency exchange firm within the past five years and was required as part of the setup process to upload a valid state-issued ID card and a real-time selfie. Both were also required to gain access to his Coinbase account, said the complaint.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Coinbase scans users’ selfies, creates a biometric template of their faces and compares the facial biometrics to the photo on the ID to confirm a match, said the complaint. Users are also required to set up a Coinbase wallet to open an account; biometric authentication is required to use the mobile app, it said. Authentication requires scanning a fingerprint on users’ mobile devices, which Coinbase uses to verify users’ identities upon login.
The company collects, stores, uses and disseminates users’ biometric data to further enhance its business and platform, and it profits from the facial and fingerprint scans it collects from users, alleges the complaint. Its “unlawful collection” and use of customers’ data exposes them to “serious and irreversible privacy risks,” it said. If the company's database with facial geometry scans or other biometric data is hacked or exposed, “Coinbase users have no means by which to prevent identity theft, unauthorized tracking” or other improper use of personal and private information, it said.
Massel claims Coinbase should have permanently destroyed his facial geometry after he opened his account, and it should have permanently destroyed his fingerprints after he stopped using the Coinbase mobile app. The company didn’t inform him in writing that it was collecting or storing his biometric information, the complaint said.
All revenue or profits Coinbase obtained as a result of Massel’s patronage was predicated on his providing Coinbase with his biometric information and Coinbase’s storage of it, the complaint said. Coinbase “disclosed, redisclosed, or otherwise disseminated” Massel’s biometric information to third-party companies including Jumio, Onfido, Au10tix, Solaris and Liquid, it said.
Plaintiff seeks for himself and the class statutory damages of $5,000 for the “intentional and reckless” violation of BIPA or statutory damages of $1,000 per violation if the court finds violations weren’t willful, plus attorneys’ fees and legal costs, the complaint said. Coinbase didn't comment Wednesday.